Initialize repository snapshot

spec/SENTINEL_EVIDENCE_STANDARD.md

@@ -0,0 +1,41 @@
+# Sentinel Evidence Standard v1
+
+Status: Draft (implementation-oriented)  
+Scope: VaultMesh Sentinel v1 offline-verifiable evidence artifacts
+
+## 1) What “evidence” means here
+
+Evidence is a **portable, offline-verifiable artifact set** that allows an auditor to deterministically verify:
+- what happened (`action_executed`)
+- what was attempted (`action_intent`)
+- what was denied (`shadow_receipt`)
+- and whether the history was tampered with (`prev_event_hash` + roots + integrity digests)
+
+## 2) Required artifact set (seal bundle)
+
+A seal bundle is the canonical evidence package. At minimum it contains:
+- `seal.json`
+- `integrity.json`
+- `verifier_manifest.json`
+- `receipts.jsonl` (or declared ledger export)
+- `roots.txt`
+
+## 3) Cryptographic defaults (v1)
+
+- Signing: Ed25519 (where signatures are used; v1 verifier does not require a seal signature)
+- Hashing: `blake3` **or** `sha256` (declared in artifacts; verifier MUST respect the declared `hash_algo`)
+- Canonicalization: pinned by `canonicalization_version` and enforced by the verifier
+
+## 4) Verification entrypoints (offline)
+
+Single bundle:
+- `python3 vaultmesh-orgine-mobile/tools/vm_verify_sentinel_bundle.py --bundle vaultmesh-orgine-mobile/testvectors/sentinel/black-box-that-refused --strict`
+
+All testvectors (includes determinism check):
+- `bash vaultmesh-orgine-mobile/tools/run_sentinel_testvectors.sh`
+
+## 5) Failure codes are contractual
+
+Failure codes are stable and must not be reused across meanings:
+- Source of truth: `vaultmesh-orgine-mobile/tools/sentinel_failure_codes.py`
+